We use Box as an enterprise file sharing & collaboration solution, with Active Directory Federation Services (ADFS) as our Identity Provider (IdP).
However, there are some limitations with this setup which are not particularly detailed anywhere, just omitted.
Below are some of the limitations I’ve found.
Out-of-the-box, ADFS does not leverage the Box API. This means that the only things that we get with ADFS is related to:
- Authentication: Authenticating to Box via ADFS for your enterprise.
- Provisioning: Access to folders with appropriate AD Groups & ADFS claims.
This only works when a user logs in via ADFS, with there being no ability to “sync” access or user accounts as ADFS is merely used for authenticating to Box via SSO.
As mentioned above, ADFS only works at login & this is the SSO login.
This is only completed via logging into Box via ADFS through a web browser. The process for the Apps (whilst using ADFS for initial authentication), is not a full SSO login.
So, for example, if a user was added to one or more SSO groups. They’ll not have their Box account updated with membership via ADFS until an SSO Browser Login.
I mentioned above that apps seem to behave differently.
Well ADFS is used for the initial authentication, once authenticated the app has access indefinitely.
The only way to remove access is to either set the Box account to inactive, delete the Box account or block app access.
This is the same for all Box Apps when ADFS is used for SSO, regardless of platform.
It’s worth mentioning that when looking at Box accounts & seeing if they are in use, that the Apps will only show a login for once in their usage.
So, someone can use a Box app daily, but if you’re generating a report on login activity. It will not show the apps, as such other reporting needs to be looked at for a true account of user activity.
“Deprovisioning” is when an account is either deleted or disabled from AD & then automatically deleted or set to inactive on Box.
Sadly, ADFS does not pass onto Box the userAccountControl attribute to automate the deprovisioning of accounts.
Therefore, if an account on AD is either deleted or disabled then nothing will change on their Box account until manually deleted from Box.
Other IdP’s can automate several functions when a new accounts are created on Box via them, sadly ADFS cannot as it’s purely for SSO.
“Personal Folders” is one such function, this is the creation of a folder for the logging in user in a directory. Such as a folder called “Joe Bloggs” being created automatically when “Joe Bloggs” first logs in.
Box have some documentation available here which advises on much of the above, without spelling it out.
Some of the pertinent information from that link quoted below:
Note: SSO with Box is an authentication method, not an integration. There is no method to sync the individual accounts in a user store to the user accounts in Box.
However, some IdPs (Okta, OneLogin, etc.) have various levels of integration to Box through the Box API, which means there may be additional functionality that can be utilized to bring the user store and Box accounts more in sync. Examples of this functionality include automatic account provisioning upon addition to the IdP, automatic account deprovisioning upon removal from the IdP, and groups being periodically synced between the user store and Box. Please reach out to your IdP to confirm if this functionality exists.
I hope the above is useful to some, it wasn’t clear to me what ADFS can do compared to other IdP’s. But as it’s merely for authentication, it seems quite limited.
Box does have a decent API & documentation which means that we leverage the same API calls that the other IdP’s use to automate things to automate them for ourselves.
Over the next week or so I’ll be sharing some scripts of mine that achieve some of the above.